GDPR for online businesses

GDPR enters into force on May 25, 2018. This day is very nigh and if you are in the online business but still oblivious of the Regulation, it is high time you found out what it is and how it can affect your online business.

Whether you have a commercial website, online shop, a blog or some other form of a website, and if you do business within the European Union, you are liable under this regulation and can pay draconic fees to the EU for a personal data breach. Sanctions include fines up to € 20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83).

In order to avoid such extreme cases, it is important to get informed about it and avert disaster.

Important note: This article does not constitute legal advice. For more information about GDPR, read the text of the regulation itself and talk to an expert in EU law to help you with aligning your business with its provisions.

What is GDPR?

General Data Protection Regulation, a.k.a. GDPR is a regulation of the European Parliament and of the Council adopted on April 27, 2016, and with the date of application from May 25, 2018. This means that the EU allowed for the member states (and the rest of the world) to get to know the regulation and adjust their business law to the provisions of the regulation.

Now, you may ask yourself: what does this have to do with you – an American, an Australian, a Canadian, a Brit or, a Chinese person if your country is not a member of the EU (or plans to escape from it). Well, we need to look into what a regulation means in EU law.

An EU Regulation is a legal act of the European Union which becomes immediately enforceable as law in all member states simultaneously, overriding all national laws dealing with the same subject matter. Unlike directives, regulations need not be transposed into national law, but have a rather general application.

GDPR of 2016 repeals the old Directive of 1995 concerning the protection of individuals with regard to the processing of personal data and on the free movement of such data. Since the Internet and data processing have changed significantly in the past 20 years, due to the development of technologies, the law has to change as well, and so do we.

If you are wondering of extraterritoriality of GDPR (Article 3 of GDPR), the fact is that it protects the citizens of the EU no matter where they are, so if you already do business within the EU or plan doing so, by getting into contact with EU citizens’ personal data – you must abide by GDPR.

Digital rights

The thing about GDPR is that it brings a new set of digital rights for EU residents in the digital age we all live in, where such data has economic power and can be misused by third parties.

Since this regulation protects natural persons and not legal persons, the former have the following rights (a.k.a. rights of the data subjects):

1. Right to transparency and access to information by the data subject (Articles 13-15)

2. Right to rectification (Article 16)

3. Right to erasure (‘right to be forgotten’) (Article 17)

4. Right to restriction of processing (Article 18-19)

5. Right to data portability (Article 20)

6. Right to object (Articles 21-22)

This means that users have the right to request data which you collect about them, even correct them if they like, but also to demand you erase them (the right to be forgotten) or restrict data processing or moving to third parties, and even they have the right to object to such processing and revoke their consent at any time.

What does GDPR mean for your website and business?

Your business is liable under the GDPR under following conditions:

If you do online business activities within the EU, no matter if your company is not established in the EU;

If you plan to or already use such data for profiling, ads or other activities;

If you collaborate with third parties (e.g. plugins, SaaS, etc.) which gather, store or use EU residents’ data.

If you meet any of these conditions, you need to develop mechanisms within your company for dealing with personal data and keeping them safe on your premises.

GDPR for website owners

Website owners need to be aware of their obligations in order to avoid GDPR liability.

1. Consent. If you want to gather, use or store data of EU citizens, you must get their prior written consent for cookies, e.g. Google Analytics (Article 7). They must be informed of giving such consent, meaning that they need to tick a box or click on a button giving their consent to your website. Additionally, data subjects (website users) can revoke their consent and such withdrawal must be made easy for them.

2. Data protection. Online businesses need to designate a data protection officer within their company who will be in charge of data protection (Articles 37-39). Special notice must be taken of children’s consent – it is lawful only if the child is 16 years old (Article 8). The data collected from users must be safely stored and access of unauthorized persons must be prohibited, unless for legal purposes (e.g. when asked by the authorities, such as the police or a court for trial purposes).

3. Privacy policy. If you already do not have a privacy policy on your website, draw up one with your legal adviser. DO NOT copy and paste it from another website. Mind you that a privacy policy needs to state what data you use, store or process in any way but mind you that it needs to be written in plain English (or whatever your language might be) so that the users can easily understand it. Avoid the so-called Legalese – language full of legal terms which may be confusing for your average website user.

4. Terms of use. Your website needs to have terms of use which the users must accept to obey when browsing your website, especially when giving their data via contact forms, newsletter application, carts, and checkout information, etc.

5. Third party liability. When using plugins or even hosting services, you need to collaborate with those providers which are already GDPR-compliant in order to avoid liability.

Once again, we remind that this article does not intend to give legal advice but is intended to help you better understand the scope and provisions of the GDPR. It can affect your business in many ways so you need to be well-informed if you plan to stay in the market.